Traditionally, merchants looking to accept payments online are forced to trade off between the level of control over their customers' experience and the amount of investment required to accept payments online.
Some merchants choose to minimize their investment by working with third parties to handle all their payment needs. In these cases, the merchants redirect their customers to the third party, which is responsible for capturing the payment information and processing the transaction. The third party will later pay the merchants for successful transactions under the terms previously agreed upon. While simple, this approach results in a very poor user experience. Customers are redirected from the merchant site to the third party site (where they are often required to login or create a new account), causing confusion and customer abandonment. This flow also makes it difficult to handle changes to customer orders or to upsell customers on new products post purchase.
Merchants looking to have more control over their customers' user experience usually invest time and money to build their own payment infrastructure. This usually requires that the merchant capture payment information from their customers and send it to a third party payment gateway for real-time authorization of transactions and subsequent settlement of funds. This approach allows merchants to build the entire payment flows on their site. However, this approach requires that the companies implement systems and policies to ensure the secure handling, transmission, and storage of their customers' sensitive payment information. These systems and policies must also be in compliance with the credit card networks as defined by various standards such as PCI Security Standard. Furthermore, merchants are liable for the protection and security of their customers' information.
Some of the payment gateways offer credit card storage services to reduce merchants' exposure to sensitive data. These gateways offer tokenization technology whereby a merchant can submit sensitive payment information to the gateway and receive a token that serves as a proxy for the sensitive payment data and can be securely stored in the merchant's systems to execute subsequent charges. While this approach reduces some of the requirements and liabilities associated with storing sensitive payment data, it still requires that the merchant handle and transmit sensitive payment information prior to receiving the token from the gateway. Thus, the merchant is still responsible for ensuring that their systems and policies are secure enough to handle this type of information and comply with all the industry data protection standards.